From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 From: Yair Mizrahi Date: Thu, 7 Sep 2023 16:15:32 -0700 Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to a heap overflow When the format is `Pixmap` it calculates the size of the image data as: ROUNDUP((bits_per_pixel * width), image->bitmap_pad); There is no validation on the `width` of the image, and so this calculation exceeds the capacity of a 4-byte integer, causing an overflow. Signed-off-by: Alan Coopersmith --- src/ImUtil.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/ImUtil.c b/src/ImUtil.c index 36f08a03..fbfad33e 100644 --- a/src/ImUtil.c +++ b/src/ImUtil.c @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. #include #include #include +#include #include "ImUtil.h" static int _XDestroyImage(XImage *); @@ -361,13 +362,22 @@ XImage *XCreateImage ( /* * compute per line accelerator. */ - { - if (format == ZPixmap) + if (format == ZPixmap) { + if ((INT_MAX / bits_per_pixel) < width) { + Xfree(image); + return NULL; + } + min_bytes_per_line = - ROUNDUP((bits_per_pixel * width), image->bitmap_pad); - else + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); + } else { + if ((INT_MAX - offset) < width) { + Xfree(image); + return NULL; + } + min_bytes_per_line = - ROUNDUP((width + offset), image->bitmap_pad); + ROUNDUP((width + offset), image->bitmap_pad); } if (image_bytes_per_line == 0) { image->bytes_per_line = min_bytes_per_line; -- 2.41.0